Splunk Enterprise Security Reviews

Our use cases are mostly for security and detection, basic use cases. It's always been a security use case. We never used it for observability or ITSI. 

Our analysts use it a lot.

I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR. 

I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL. 

It's a premium app, it's easy to use and intuitive. 

Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything. 

It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.  

Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.

It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with. 

It provides us with the relevant context to help guide our investigations. It's really useful in that aspect. 

It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect. 

It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors. 

I have been using Splunk Enterprise Security for about five years. 

I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk. If you work within the required parameters, it's stable. 

Their support is great. I've never had any issues with them.

Positive

The setup was pretty straightforward unless you add a search head cluster. Then it becomes a lot more complicated very fast. Other than that, it's not too bad. It's pretty simple and intuitive. I've done it before and it's not difficult especially if you have the docs to help you. 

I can't speak to the dollar amount but we see ROI in the way that it helps the analysts to better do their work. It helps keep track of things and having one pane of glass for all things data. 

I would rate Splunk Enterprise Security a nine out of ten. It's a top-of-the-line product. It allows analysts to do their jobs better. It's a single pane of glass. It's a fantastic tool that we couldn't do our work without. 

We use Splunk Enterprise Security for a lot of use cases. We use the predefined use cases and dashboards for AWS, notable events, endpoint detection network, and audit notable events.

The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself. 

The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.

It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.

Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.

When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.

I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud. 

There's already a fraud offering from Splunk for fraud use cases but it's different. I need to get professional services for me to get that feature. It would be much more cost-efficient for customers if all those dashboards could be readily available within ES.

I have been using Splunk Enterprise Security since I joined my company in 2019, so it's been roughly five years.

Cisco just acquired Splunk so I expect the stability to still be the same since Cisco is established. 

I would rate support a nine out of ten because there's always room for improvement. 

Positive

I would rate Splunk Enterprise Security an eight out of ten. To make it a perfect ten, I would like to see them implement the fraud detection features. 

Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.

Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.

The customizable dashboards offer great visualization and extra add-ons.

Splunk Enterprise Security helps us to easily monitor multiple cloud environments.

Mission Control lets us monitor and manage our security from a single panel.

Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.

Splunk Enterprise Security helps reduce our alert volume.

Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.

Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.

Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.

Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.

The licensing cost could be more competitive, as some of our competitors offer lower prices.

I have been using Splunk Enterprise Security for one year.

We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.

The technical support team is always supportive but their response time and knowledge can be improved.

Positive

The initial deployment was straightforward.

The license for Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

The resilience Splunk offers is good.

I recommend Splunk Enterprise Security to others.

Splunk Enterprise Security is used for security monitoring. It helps manage the governance of the security monitoring from the start of an incident to the resolution.

Splunk Enterprise Security offers excellent visibility across multiple environments. It's a flexible platform with virtually no limitations.

The actionable intelligence provided by the threat intelligence management feature is good.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats much faster than before.

Depending on the client and their configuration, Splunk Enterprise Security can help reduce their alert volume by under 50 percent.

Splunk Enterprise Security helps our clients expedite security investigations. It achieves this by streamlining the process of finding evidence and incident logs within Splunk's data module.

Splunk Enterprise Security offers two valuable features: the Common Information Model and arrangement modules. The CIM helps standardize data for efficient searches, while arrangement modules automate incident log processing by enriching them with contextual client information.

While Splunk offers SOAR as a separate product, integrating it into the next version of Splunk Enterprise Security as a unified solution would be beneficial.

I have been using Splunk Enterprise Security for 2 years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support experience is moderate. It can take a long time to resolve issues, and I often need to explain the problem to multiple support representatives. Ideally, I would have a single point of contact assigned to my ticket throughout the entire process.

Neutral

The initial setup of Splunk Enterprise Security involves moderate complexity. Deployment time can vary significantly, ranging from one hour to one month, depending on the environment's complexity.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security 7 out of 10.

I suggest integrating SOAR with Splunk Enterprise Security.

We use Splunk Enterprise Security to teach our students about security awareness in a more positive way. We can show them how these tools work and the benefits they bring. This will help them understand the importance of using Splunk Enterprise Security, not just for our clients, but for ourselves as well.

The Splunk dashboards are user-friendly.

I would rate Splunk's threat topology an eight out of ten. The threat topology provides a complete map so we can investigate security incidents quickly.

To effectively utilize Splunk for malicious activity analysis, a comprehensive understanding of the different event types and their functionalities is crucial. This involves examining specific events associated with potential malware, such as changes in system behavior. By gaining clear visibility into these events, we can identify the malware's goals within our environment and stop it.

Splunk helps us detect threats within three minutes.

We realized the benefits of Splunk within eight months. Splunk Enterprise Security helped secure our environment faster than other security solutions.

Splunk has helped reduce our alert volume.

The Splunk queries are valuable. There are a lot of query options available in Splunk compared to Sumo Logic.

It is difficult to monitor multiple cloud environments using Splunk.

I would like the ability to view logs for specific instances and not have to pull the logs for the entire Cloud environment in Splunk.

As the number of environments monitored by Splunk increases, the resource demands also grow, potentially slowing down the system.

Splunk's threat intelligence system gets a seven out of ten. There are frequent delays in updates, which can take up to three months for Splunk to make available.

I have been using Splunk Enterprise Security for one year.

I would rate the stability of Splunk Enterprise Security ten out of ten.

The resilience is good. I have not faced any issues.

I would rate the stability of Splunk Enterprise Security nine out of ten.

The technical support team is good.

Positive

The initial setup is straightforward. Splunk provides wonderful documentation to help with the deployment.

Splunk Enterprise Security is priced lower than competitors.

Splunk Enterprise Security is a good choice for startup companies because of the lower cost.

I would rate Splunk Enterprise Security nine out of ten.

Maintenance is required to address the false positive alerts.

I recommend Splunk Enterprise Security to others.

Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

I currently use Splunk Enterprise Security.

Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

The technical support is a bit expensive but they respond quickly.

Positive

Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified. 

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.

I've been building SOCs for multinational banks across Asia and Australia, the Middle East, and right now in the United States.

It's the tool that we use to build SIEMs to meet logging requirements and to identify security issues across larger states of data sets.

We wanted to give our analysts visibility in near real-time to problems as they occur. That's the goal. 

By using the frameworks that we've adopted, like MITRE ATT&CK and the coverage mapping, we're able to show the divisions that we have in our detection environment. And we map that across with our prevention layers just to describe to the business the deficiencies we have. We can show, for example, these are the areas we can't see since we don't have logging for them, and or these are the areas we can spend more time on to draw down risk due to the fact that, while we have the logging, we haven't got the searches and correlation searches in place. That would perform detection behind the preventative controls. So it gives us a guide as to where we can spend time better.

The feature that we use the most is the correlation search engine within ES. That is the one we use. Absolutely the most. There are a lot of other features in there, however, that's the one we use.

Our organization does monitor multiple cloud environments. It's not "easy" per se. I'm a Splunk-certified architect. I've got 30 years of experience. If you've got 30 years of experience and you're a Splunk-certified architect, it's easy. If you haven't, you've got no chance.

Splunk Enterprise Security's visibility into multiple environments, for example, cloud, on-prem, and hybrid is good. Splunk doesn't care. It's as easy on-prem as it is on the cloud, as it is hybrid. I've built up all three individually and separately depending on the environment.

The insider threat detection capabilities for helping our organization find unknown threats and anonymous user behavior are okay. It can do it, however, it is not out of the box a UEBA. It doesn't pretend to be. Splunk has a separate product for that which is not the enterprise security suite. That said, if you enable the access domain correctly within ES, it gives you really good insight into what your Insight users are doing. That's what the access domain is. However, it doesn't have the advanced features that you would expect from your UEBA product as it is not one.

We use the threat intelligence management feature. My impressions of the actionable intelligence provided by the threat intelligence management feature are mixed. We import anomaly threat intel into the Splunk ecosystem to do that. We use the framework that Splunk provides, and we supplement it with the threat intel from a third party, and that works really well.

We use the MITRE ATT&CK Framework. We’ve mapped all of our detections around that Miter framework. There's there's four frameworks built in, and we chose Miter. It just makes more sense. You only pick one. There’s no sense in picking more than one.

It’s helpful to uncover the overall scope of an incident. If you've done the work to map your MITRE ATT&CK Framework into the product, then you have a hit against a MITRE ATT&CK technique. Then at least you know where it is in the MITRE ATT&CK framework so that you can describe it as a common frame of reference with a third party. However, it doesn't necessarily give you an idea of the scope. It requires more effort. That said, it's certainly a really good starting guide as to where you are.

Splunk Enterprise Security is okay for analyzing malicious activities and detecting breaches. It's only as good as the operators that use it. Out of the box, it doesn't do anything. You have to put the work in to make it do that. I can't begin to say how useful it is when it's first configured. You need to spend a lot of time working on your environment to make it do that.

It helped us detect threats faster. Without it, you can't check anything. It's too complicated.

The solution has helped us speed up our security investigations. Without it, you don't have investigations. Also, with the alerting itself, Splunk becomes best of breed.

Enterprise Security hasn’t helped us reduce our alert volume. The analysts have, however.

We do all of our enterprise security on-prem. We avoid the Splunk Cloud solution since we want the flexibility to build our own. It is a hugely complicated product. Obviously, anything that they could do to make it easier would be ideal. 

I've used the solution for over ten years. 

It's rock solid. It never failed. Having resilience in our organization is fundamental to our security position. 

We're a multinational and have Splunk in the UK and US. We have 2,000 employees, and 2,000 endpoints, at the employee level. We also have around 12,000 production endpoints and it runs across a multi-cloud hybrid that includes GCP and AWS. It also has a tiny on-prem footprint.

You can horizontally scale someone instantly. I've never been afraid we would exceed horizontal requirements. 

We don't use technical support. 

I did not previously use a different solution in this company. 

A long time ago, the company replaced ArcSight with Splunk. 

The initial deployment was complex. 

Our strategy has been to avoid clustering for searching and to build a significantly larger virtual machine for running the ES environment as a stand-alone. It's got 128 cords and 256 Giga RAM so that it can run inside itself and not have to cluster since a cluster adds too much complexity.

We only need one person, myself, to deploy the solution. I'm a Splunk certified architect and I have 15 years of experience doing nothing but Splunk. 

The solution does require some maintenance. We have seven people in total handling maintenance. 

I have witnessed ROI. However, luckily, our center does not have to pay for the license. 

We get enterprise licensing via Intuit, our parent company. The licensing is horrendously expensive. 

I did not evaluate other options. This solution was in place when I arrived. 

I'm an end-user.

If you are looking for a cheaper option, you probably don't have a focus on security or have a risk that you care about enough to purchase a premium solution. If you look at the Gartner roadmap, Splunk is a clear leader, and it's always at the top right quadrant. Everything else is attempting to catch up to Splunk. There's no one else in front of it. If you choose something like Elastic or Sumo, your company doesn't place an emphasis on security. 

I'd rate the solution nine out of ten. It's a lot of work. Almost nothing works out of the box. You have to invest in it for three to five years at a minimum.